Splunk Search

Case Rex on drop-down

Contributor

I have a query that receives input from a drop-down.

Example info coming from the drop-down:
Static: All = *
Dynamic = Application name + Version

All
Nitro 10.9.1.1455
Runner 11.2.1.1444
Calendar 11.1.0.1355

I am physically splitting the name of the application with the version number because my index has Application as a separate from Version and does not take the application with the version (ie: Calendar 11.1.0.1355) as an input. I am combining the two for my drop-down for user simplicity

How queries require the input:
Application = Calendar
Version = 11.1.0.1355

index=search
| eval Applications = "$App_token$"
| rex field=Applications "^(?<Application>^\D+)"
| rex field=Applications "^(?<Install_Version>^\d.*)"
| dedup Mac_Address Application
| search "StoreNo"=* Mac_Address=* "Install Status"=* "App Updated Date"=* "Last Seen"=* "OS Version"="*" 
|chart limit=50 count over "Application" by "Install Status"

How would I build a case where "All" would display all applications rather than *
alt text
alt text

0 Karma

SplunkTrust
SplunkTrust

@JoshuaJohn, What are the fields in your index=search corresponding Application and Version? You have not applied any filter for either one in your search.

Besides your query, you should also check your existing query for the following:

1) All your search filter should be in your base query

 index=search "StoreNo"=* Mac_Address=* "Install Status"=* "App Updated Date"=* "Last Seen"=* "OS Version"="*"

2) You should have single rex for Application and Install_Version. If Application Name does not have spaces you can try the following:

| rex field=Applications "^(?<Application>[^\s]+)\s(?<Install_Version>.*)"

If there may be spaces in the Application name may be you can try the following:

| rex field=Applications "^(?<Application>[\D|\s]+)(?<Install_Version>[\d|\.]+)"

PS: This could also be handled in the drop down itself. Will your dropdown have multiple entries for same App with different versions?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Influencer

Hi

Can you check if that works for you?

 index=search
 | eval Applications = "$App_token$"
 | rex field=Applications "^(?<Application>^\D+)"
 | rex field=Applications "^(?<Install_Version>^\d.*)"
 | dedup Mac_Address Application
 | search "StoreNo"=* Mac_Address=* "Install Status"=* "App Updated Date"=* "Last Seen"=* "OS Version"="*" 
 |chart limit=50 count over "Application" by "Install Status"
 | eval Application=if(Application=="*","All","*")

It is just a cosmetic operation in the end of the whole calculations

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!